Closed timb-machine closed 3 years ago
The post above show two memory locations to look at, kernel keyrings and in-process structs.
We can tackle the latter simply by looking for libraries that link to libkrb5.so and dumping the process with gcore. We can use @AdeptsOf0xCC's technique to look for krb5_keyblock structs.
Need to dig into the former to see what we can do from a shell script perspective. We'll continue to track the wider re-engineering under #6.
https://adepts.of0x.cc/kerberos-thievery-linux/